JSON Output

What does this mean ?

Escaping HTML source code is set to disable on a JSON output; this may lead to stored cross-site scripting vulnerability as the HTML output is returned without escaping it

What can happen ?

Unfiltered HTML may lead to executing Javascript and HTML source code in the returned response and allow the attacker to have a stored cross-site scripting vulnerability on the system which may lead to stealing user's data

Recommendation

it's recommended to enable scaping HTML on a JSON output by seting escape_html_entities_in_json to true

Sample Code

Ruby

Vulnerable :

escape_html_entities_in_json = false

Non Vulnerable :

escape_html_entities_in_json = true

References

• https://rubydoc.info/docs/rails/ActiveSupport/JSON/Encoding.escape_html_entities_in_json